Transparent Squid + WCCP + Cisco

max_2000i · 11-15-2008, 09:35 AM

Hi everybody!!!

I stuck in a situation that need to implement Squid cache in transparent mode with WCCP enabled on Cisco Router as Below :

Cache Server : 192.168.64.120/24
Router with NAT configured : 192.168.64.1
LAN Clients : 192.168.64.1/24

here is my squid config in squid.conf:

http_port 127.0.0.1:3128 transparent
http_port 192.168.64.120:3128 transparent

hierarchy_stoplist cgi-bin ?
hierarchy_stoplist scripts
hierarchy_stoplist php
hierarchy_stoplist asp
hierarchy_stoplist jsp
acl QUERY urlpath_regex cgi-bin \? asp php jsp scripts
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

cache_mem 512 MB

maximum_object_size 100 MB

cache_dir ufs /var/cache/squid 20000 34 256

access_log /var/log/squid/access.log squid

refresh_pattern -i \.(htm|html|phtml|shtml)$ 43200 90% 129600
refresh_pattern -i \.(bmp|gif|jpeg|jpg)$ 43200 90% 129600
refresh_pattern -i \.(mov|wav|mp3|avi|ram)$ 43200 90% 129600
refresh_pattern -i \.(ps|midi|au|ra|rm)$ 43200 90% 129600
refresh_pattern -i \.(tar|zip|gz|js)$ 43200 90% 129600
refresh_pattern -i \.(doc|pdf|txt)$ 43200 90% 129600

acl all src 0.0.0.0/0.0.0.0
acl class1 src 10.0.0.0/255.0.0.0
acl class2 src 172.16.0.0/255.255.0.0
acl class3 src 80.75.2.0/255.255.255.0
acl class4 src 85.15.61.0/255.255.255.0
acl class5 src 192.168.0.0/255.255.0.0
acl PURGE method purge
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535 280 488 591 777
acl CONNECT method CONNECT
acl public_snmp snmp_community public
acl worm1 urlpath_regex -i /readme.eml /sample.exe /whatever.exe /153.lzh /JDBGMGR.EXE
acl worm2 url_regex -i banners.interfree.it 213.158.72.68
acl CodeRed urlpath_regex \/default\.ida\?
acl msie6 browser MSIE[[:space:]]6
acl msn-hotmail dstdomain .hotmail.msn.com

header_access Accept-Encoding deny msie6 msn-hotmail
http_access deny worm1
http_access deny worm2
http_access deny CodeRed
http_access allow manager localhost
http_access allow purge localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow SSL_ports
http_access allow localhost
http_access allow class1
http_access allow class2
http_access allow class3
http_access allow class4
http_access allow class5
http_access deny purge
http_access deny all

http_reply_access allow all
icp_access allow all

snmp_access allow public_snmp localhost
snmp_access deny all

visible_hostname Metro-Cache

cache_effective_user squid
cache_effective_group squid

buffered_logs on

coredump_dir /var/cache

wccp2_router 192.168.64.1

debug_options ALL,1 80,5
=======================================================
IPTABLES Configurations :

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*nat
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i wccp0 -d 0/0 -p tcp --dport 80 -j DNAT --to-destination 192.168.64.120:3128
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i wccp0 -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 3128 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i wccp0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

**by the way ,I configured with redirect too!!!

===============================================================

and Cisco 2600 Config :

Current configuration : 1929 bytes
!
! Last configuration change at 16:55:38 irst Sat Nov 15 2008 by admin
! NVRAM config last updated at 16:55:54 irst Sat Nov 15 2008 by admin
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname behTest
!
aaa new-model
aaa authentication login default local
aaa authentication login test group radius enable
enable secret 5 $1$xsdfgdsgf2Ow$3ikxxQ8/zgfgfghRornYTtXfO2V0
enable password 7 130019022B5sdsdfwettwet951
!
username admin password 7 030752180sdfwsgaewtgerynl5;;0'0
clock timezone irst 3 30
ip subnet-zero
ip wccp web-cache
ip flow-cache timeout active 1
!
!
!
!
!
!
interface Ethernet0/0
ip address 192.168.64.1 255.255.255.128
ip helper-address 192.168.64.3
ip nat inside
ip route-cache flow
half-duplex
traffic-shape group 101 16000 1000 1000 1000
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface Ethernet0/1
ip address 85.15.61.170 255.255.255.248
ip nat outside
ip route-cache flow
ip wccp web-cache redirect out
half-duplex
!
interface Ethernet1/0
ip address 172.16.0.1 255.255.255.248
half-duplex
!
ip nat inside source list 20 interface Ethernet0/1 overload
ip nat inside source static 192.168.64.3 85.15.61.172
ip nat inside source static 172.16.0.2 85.15.61.171
ip flow-export source Ethernet0/0
ip flow-export version 5
ip flow-export destination 192.168.64.3 9996
ip classless
ip route 0.0.0.0 0.0.0.0 85.15.61.169
ip http server
ip pim bidir-enable
!
logging trap debugging
logging source-interface Ethernet0/0
logging 192.168.64.26
access-list 20 permit 192.168.64.0 0.0.0.127
access-list 20 permit 172.16.0.0 0.0.255.255
access-list 101 permit ip host 192.168.64.34 any
!
line con 0
line aux 0
line vty 0 4
logging synchronous
!
ntp clock-period 17180003
ntp server 132.163.4.103
end

**also configured in both version of wccp.
======================================

Also as there is in iptables ,I 've created gre tunnel (wccp0), and add gre as blow :

ip tunnel add wccp0 mode gre remote 192.168.64.1 local 192.168.64.120 dev eth0
ip addr add 192.168.64.120/32 dev wccp0
ip link set wccp0 up

======================================

also load ip_gre module

=====================

everything is looking good but ,,,there is nothing in tail -f access.log ,also when I use ifconfig , there is no traffic on gre !!!

by the way when I use tcpdump i can see this error evry 2-3 second :
802.1d unkown version

=================

Please help ASAP....many thanks friends....

Thanks.